CVE-2024-35791 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the SVM (Secure Virtual Machine) functionality related to AMD's virtualization extensions. The issue arises in the function svm_register_enc_region(), which manages encrypted memory regions for virtual machines. The vulnerability is a use-after-free (UAF) condition caused by improper handling of cache flush operations and locking mechanisms. Specifically, the kernel failed to flush pages under the kvm->lock before releasing it, which could lead to a scenario where the region structure or its dynamically allocated array of pages (region->pages) is freed by another task concurrently, such as one executing __unregister_enc_region_locked(). This race condition could cause the kernel to access freed memory, leading to undefined behavior including potential kernel crashes or memory corruption. The patch involves performing the cache flush of converted pages while still holding the kvm->lock to prevent concurrent freeing of the memory region. The fix is somewhat costly performance-wise because it requires flushing multiple pages under the lock, but this is acceptable as the affected code path is rare and slow, and the flush is only necessary on CPUs lacking coherency for encrypted memory. No known exploits are currently reported in the wild. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases. This flaw is technical and low-level, impacting virtualization security and stability on Linux systems using AMD SVM with encrypted memory regions.

For European organizations, the impact of CVE-2024-35791 primarily concerns environments that heavily rely on Linux-based virtualization infrastructure, especially those using AMD processors with SVM and encrypted memory features enabled. Exploitation of this vulnerability could lead to kernel crashes or memory corruption within virtualized environments, potentially causing denial of service or enabling attackers with local access to escalate privileges or compromise VM isolation. This could affect cloud service providers, data centers, and enterprises running critical workloads on Linux KVM hypervisors. Given the use-after-free nature, the vulnerability might be leveraged in targeted attacks to escape from guest VMs or disrupt host stability. Although no exploits are known yet, the risk is significant for organizations with sensitive or regulated data processed in virtualized environments. The vulnerability could also impact the integrity and availability of services, leading to operational disruptions and potential data loss. European organizations in finance, healthcare, telecommunications, and government sectors that depend on secure virtualization would be particularly concerned about this flaw.

1. Immediate application of the official Linux kernel patches that address CVE-2024-35791 is critical. Organizations should track kernel updates from their Linux distribution vendors and apply security updates promptly. 2. For environments where patching is delayed, consider disabling encrypted memory regions in KVM if feasible, to avoid triggering the vulnerable code path. 3. Implement strict access controls and monitoring on systems running KVM to detect unusual activity that might indicate exploitation attempts. 4. Use kernel live patching solutions where available to minimize downtime while applying fixes. 5. Conduct thorough testing of virtualization workloads after patching to ensure stability and performance are maintained. 6. Harden host systems by limiting local user access, as exploitation requires local privileges. 7. Maintain up-to-date intrusion detection and prevention systems tuned to detect anomalies in virtualization subsystems. 8. Review and audit virtualization configurations to ensure minimal attack surface, including disabling unnecessary features related to encrypted memory if not required.